IETF Logo Mail Archive

Re: [Suit] self-describing format vs fixed/binary manifest structure

Kvamtrø, Frank Audun <frank.kvamtro@nordicsemi.no> Tue, 18 December 2018 16:58 UTC

Return-Path: <frank.kvamtro@nordicsemi.no>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02330131143 for <suit@ietfa.amsl.com>; Tue, 18 Dec 2018 08:58:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.104
X-Spam-Level:
X-Spam-Status: No, score=0.104 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FROM_EXCESS_BASE64=0.105, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nordicsemi.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29aSnMMBuWcG for <suit@ietfa.amsl.com>; Tue, 18 Dec 2018 08:58:12 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00073.outbound.protection.outlook.com [40.107.0.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E862E13111F for <suit@ietf.org>; Tue, 18 Dec 2018 08:58:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nordicsemi.onmicrosoft.com; s=selector1-nordicsemi-no; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QKnKbUIbYnvuA7YSE6zQCBxGQWDaIa0mu+aNM9F1IUo=; b=nGkhiEY0KddfWYXR52phglJrObLc9tNflz+ks8w0Tj+6UwN5MtOuq/DGTTraaONnm28tCOiuSnRTPv7zhwEmE0iW4WiBW4vIAiF8KtT1H2qKx/wODQoLMekonisApfX5o57mfHufxofSvaNs0owswSzeWK8NMZpDcVmbE5A3udw=
Received: from AM6PR05MB5639.eurprd05.prod.outlook.com (20.178.86.88) by AM6PR05MB5848.eurprd05.prod.outlook.com (20.178.87.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.18; Tue, 18 Dec 2018 16:58:08 +0000
Received: from AM6PR05MB5639.eurprd05.prod.outlook.com ([fe80::2868:9ada:b4d2:ac9e]) by AM6PR05MB5639.eurprd05.prod.outlook.com ([fe80::2868:9ada:b4d2:ac9e%3]) with mapi id 15.20.1425.023; Tue, 18 Dec 2018 16:58:07 +0000
From: "Kvamtrø, Frank Audun" <frank.kvamtro@nordicsemi.no>
To: Martin Pagel <Martin.Pagel=40microsoft.com@dmarc.ietf.org>, Carsten Bormann <cabo@tzi.org>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "suit@ietf.org" <suit@ietf.org>, "dev-mcuboot@lists.runtime.co" <dev-mcuboot@lists.runtime.co>
Thread-Topic: [Suit] self-describing format vs fixed/binary manifest structure
Thread-Index: AdSRuIx24y9fgBmKQIigg64Z3c8zMwAo7OaAADVwiOAAIfQ5AAABSKQQAAFVUAAAAEAAsAC5xaNA
Date: Tue, 18 Dec 2018 16:58:07 +0000
Message-ID: <AM6PR05MB5639B18E94A04E0F7477B853FCBD0@AM6PR05MB5639.eurprd05.prod.outlook.com>
References: <DM5PR21MB069822F40B3F5CC8DBD5F6C69DA70@DM5PR21MB0698.namprd21.prod.outlook.com> <9919.1544647801@localhost> <DM5PR21MB06986BEC8A8DA5AF9137404A9DA00@DM5PR21MB0698.namprd21.prod.outlook.com> <E76EA259-12C7-45CA-A4A2-C322C0B0A591@tzi.org> <DM5PR21MB06983D88A8F9E0499FBB13759DA10@DM5PR21MB0698.namprd21.prod.outlook.com> <762E7832-FD81-4737-ACAD-EDDEF4D8B488@tzi.org> <DM5PR21MB06985C3CED721F65D47742F19DA10@DM5PR21MB0698.namprd21.prod.outlook.com>
In-Reply-To: <DM5PR21MB06985C3CED721F65D47742F19DA10@DM5PR21MB0698.namprd21.prod.outlook.com>
Accept-Language: nb-NO, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=frank.kvamtro@nordicsemi.no;
x-originating-ip: [194.19.86.146]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM6PR05MB5848; 6:P7WrSmDXKfSFP/w8aN/J6TokVkZLTEFs9nMXUOfemqCN+O1MEwoxSUqJ5GhOaI8jC15INTUcXt5tEbPaOffxD8Nm36RaPGpbp1iwAjmaf42xrqUpiP9CXBIqcvVbFnLwY6EGo3xrld0Eny0w5W8mqZV4m8CiajSwB/GJstDODNsUBvMAnxIPanIpueHuxqVdT/ydnd1tf2lZVD2GF224wZPHXxd4v0lYJgYOBnzcDpJt2LmlOup9p75R5AN31MJArluhcXKWnXw6yDAoEU8JdmKKD4SlkMlKn2s2Zhoy+CnwoTl7yCixXWw683hRdC+sOt3KYgg+6H+gKGU4HJv5Nce9tQvU3TFaowdpQGRDmjL3G6z3vjEyszigRA2rgnpWvWRCTXBTwBZUvUhXHgb8H7Fvzemf/IFKf9KADzkRkRjxBG2ihEHVIXA97+Wd83vswheuM1KyyrMIRwlMhHXcfA==; 5:dx7XmQhc2rpfNrgD0rNonSSUUinW+WixphGg3PrzaWX7u2IgF8suxCrFzlX+7miKOhqIpicq5IhAwZhpNHfvdZdNEDpJEVt7PXg6fctpx4Cdqb+TSK3c1WCTdvFN/jSNcMTDUyJ3fey5idaiFTC/82qZgy3+oMKXGSwfcJX0bL4=; 7:994lCuv941lh+97UY0WrG3EHhDwtQWlJKdHBBp4CddK9vOagrYTXYjk4bFaGYXZ01dboXeNLu59gY9Hm191ZLQZOJ3BqEapudEukmmQhIQwMIDMbNHa8ANYxQ3dp+DlOqhi3Ou1H4QoJvnqZd432pg==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 53ae6c8a-45e6-4fb9-c3b0-08d66509fc30
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:AM6PR05MB5848;
x-ms-traffictypediagnostic: AM6PR05MB5848:
x-microsoft-antispam-prvs: <AM6PR05MB5848DF2E9549AE28102A7F3BFCBD0@AM6PR05MB5848.eurprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(999002)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231475)(944501520)(52105112)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:AM6PR05MB5848; BCL:0; PCL:0; RULEID:; SRVR:AM6PR05MB5848;
x-forefront-prvs: 08902E536D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(136003)(376002)(39850400004)(346002)(396003)(13464003)(199004)(189003)(85644002)(51444003)(71200400001)(229853002)(81166006)(4744004)(71190400001)(7696005)(3846002)(561944003)(5660300001)(6116002)(186003)(26005)(478600001)(966005)(85182001)(33656002)(68736007)(25786009)(8676002)(476003)(74482002)(81156014)(446003)(11346002)(8936002)(486006)(2906002)(256004)(99286004)(14444005)(6436002)(316002)(93886005)(54906003)(66066001)(74316002)(97736004)(76176011)(6506007)(86362001)(6246003)(110136005)(105586002)(53546011)(55016002)(7736002)(305945005)(6306002)(14454004)(53936002)(9686003)(4326008)(102836004)(106356001)(777600001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR05MB5848; H:AM6PR05MB5639.eurprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nordicsemi.no does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ihP8tixDBjg2lYfrSVkak8oYLnA5ukWUAJyuvLPwuVX9aKw55BSDcFuNvALAn9TXJ5lIY5LTkIILxcFrmLMb4SfAaXe6bDxQTA1L0SksqVLg5CGqxAsaRcXFH9BrvN4PSI27SVyKA4nBO3bn4TXTAupAtj7t6LD7G/DQ4Sfj1KTPEA2/UvYBeZ4zYNXNjLZe3Ur1CbU4psxn9MXup3HYVKvBi6bcHD0CkEwnOeN+4eT3xWGigvG3NijfOuA7tah0aq/JmyiKSNs+BuUm80+/e/RR3S9CIzs3N7j1RqVXS1O8kbwygCxEkUxgM0exH/v7
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nordicsemi.no
X-MS-Exchange-CrossTenant-Network-Message-Id: 53ae6c8a-45e6-4fb9-c3b0-08d66509fc30
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2018 16:58:07.7637 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 28e5afa2-bf6f-419a-8cf6-b31c6e9e5e8d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR05MB5848
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/OruA0JlVCAPsWOOiCpLQOF2cGXg>
Subject: Re: [Suit] self-describing format vs fixed/binary manifest structure
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 16:58:15 -0000

I didn't have a specific e-mail to respond to with regards to the proposal
for using packed C structs, but the discussion has gone on for quite a while
and I don't believe it is very fruitful. I hear security experts have been
mentioned in previous threads, and I want to point out that this is a logical
fallacy called "argument from authority". If some security experts want to 
comment on this, then please add them to this discussions so we can discuss
the issues first-hand. Or else the claims are difficult to argue against. 
The authors of this draft come from many different forums and I expect that the
IETF SUIT working group is packed with security experts. A base tenet of this
design process it to adhere to threat based analysis as well as using sane 
standardized methods of cryptography and security. Packed C structs raises a 
few flags for me, security wise. It is ad hoc, and I fail to see that this
approach can be certified to be secure. Especially since the content will
differ on many devices.

Please note that I don’t intend to be unnecessarily negative. I've used
18 of the 32 most known serialization formats (according to Wikipedia) myself.
I've even done the error of writing two proprietary serialization formats. 
The main reason for writing my own was either to be more efficient or to be 
more secure. I now know that I was mostly succeeding with the efficiency part.
For the most part I believe that we don't need another serialization format.

I don't think that packed C structs is a valid approach in an IETF standard. 
The formatting is not interoperable or interchangeable. I expect it to only 
work on one device with one configuration, which is asking too little from a 
firmware upgrade mechanism. I question the alleged security benefits that has 
been alluded to in previous e-mails when using packed structs. Simpler does not
mean better, especially when you have to come up with a proprietary system for
versioning to handle interchangeability, and a custom interoperability 
information format to ensure that the data isn't misrepresented or misused.

I want to note that I am not arguing against using multiple serialization 
formats in context of a complex firmware upgrade mechanisms. This may be the 
only way to support firmware upgrades for heterogenous systems that needs to be
upgraded in unison. We have discussed this in previous e-mail threads covering
payload encoding and NUMA/UMA architectures. I do take issue with an intent to 
describe manifest data using a non-serializing serialization format, without 
the exactness that I would expect when encoding and parsing data sent over any 
medium. That includes support for versioning and optional fields that can be
skipped as well as a schema to understand how the data should look to be valid.

The method of having parts of the manifest data in a binary encoding instead of 
using the full IETF SUIT manifest format may make sense in context of a 
simplified boot validation. This is the case if you are reliant on an external
security chip that only supports one format of data (e.g. ASN.1). A specialized
boot validation process can even be encoded in a simpler manifest format
than the full IETF SUIT, to keep the boot validation parser lean, and to ensure
that there aren't any ways to hijack this sensible part of the process

> -----Original Message-----
> From: Suit <suit-bounces@ietf.org> On Behalf Of Martin Pagel
> Sent: 14. desember 2018 17:28
> To: Carsten Bormann <cabo@tzi.org>
> Cc: Michael Richardson <mcr+ietf@sandelman.ca>; suit@ietf.org; dev-
> mcuboot@lists.runtime.co
> Subject: Re: [Suit] self-describing format vs fixed/binary manifest
> structure
> 
> Different MCUs support and need different image formats, crypto algorithms,
> keys, software components etc.  The Update Server already needs to
> understand the capabilities and needs of the MCU it wants to update, there
> is no generic way to update any type of MCU. The question is how to transfer
> that MCU specific data to the MCU. Two approaches have been proposed:
> 1. The Update Server generates a CBOR representation to pack the data and
> the MCU applies some type of CBOR parser to unpack it.
> 2. The Update Server generates a packed C struct the MCU can just load/map
> into memory.

First I want to understand what an update server means is in this context. I
don't see its role clearly stated in the draft documents. Maybe this is 
something that we need to be more explicit about in the architecture or in 
the information model. I feel you are mixing a concept of manifest data 
generation (with signing) and the role of hosting a firmware upgrade on a 
server. The key reason I believe this to be the case is that you state that the
CBOR/packed C struct is server-generated. I think that this is not possible if 
you want to support the multiple signer requirements as described the 
information model use-cases, as well as the broad description inside the 
architecture draft.

There is a similar concept described in the architecture draft that has some 
clearer restrictions in usage. This is the "firmware server" concept, which is 
described as a server that holds the generated firmware images and manifests 
en route to the device where they are to be applied (either through push or 
pull).

The use of the term update server to describe encoding mechanisms begs the
question on how to allow the device operator and the network operator to 
authorize a firmware upgrade in a combined signing operation. If support
for multiple signers is needed, I assume the full firmware upgrade instructions
is either a combination of multiple manifests that are individually signed or 
a manifest that has multiple signers. The key here is that the signed material 
can't be altered or else it loses the signers authorization. This makes an 
"update server" with generation capabilities difficult. Changing the content 
on an intermediate server breaks the concept of multiple authorities. 
Limiting the capabilities of the firmware server to pure device management 
tasks ensures good end-to-end security in the firmware upgrade process.

Using a well-defined serialization format is beneficial to a firmware server.
The firmware server can authenticate the content, e.g. by looking at "best 
before" combined with signature validation to ensure the addition is not
part of a denial-of-service attack. It is also possible for the firmware
server to decode information about the vendor, class and device ID to ensure
the correct device gets the update (in a push scenario). This is data that
is described in the IETF SUIT manifest format, and if this is serialized using
a standardized format it becomes much more available for any intermediary 
actor in the overall firmware upgrade process.

Using a well-defined serialization format is also beneficial to multiple
signers, as parts of the content of the full firmware upgrade can be dealt
with remotely, protecting each signers private keys. It also has clear
interoperability benefits, as you only need to follow the standard to create
your part of the combined firmware upgrade instruction.

Using a packed C struct approach removes these flexibilities. In some cases
it even demands an additional device management information outside of the 
scope of what is defined in the IETF SUIT to facilitate the firmware upgrade. 
This is a very bad thing for the standard. I don't think you can even call 
it a standard in that case...

> 
> Yes, the first approach might be a bit easier for the Update Server as it
> doesn't have to worry about byte alignment etc, but I would rather put the
> burden on the server rather than the MCU in particular if the MCU needs this
> data to boot. As the Update Server already needs to understand the target
> MCU, it might as well understand how to pack the data in a way the MCU can
> easily digest. If I would have to develop a tight boot ROM, I would favor
> the second approach.

I whole-heartedly don't favor the second approach. It has been mentioned before
that here be dragons. Let me try to exemplify some dragons:

-What kind of endianness have you compiled your data to be in this build?
-What are the actual type sizes you are compiling with? Can they change?
-What about alignment issues on the packed types? Will you know when you got 
 that wrong in a graceful manner or will you just hard-fault on unaligned 
 access?
-How large are the enum types in your compilation? Should you disallow enums 
 outright due to potential interoperability issues?
-What happens when you need to amend this format to conform to an issue you
 have discovered? 
-Is there a schema to conform to and how will you deal with optional features?

If these issues aren't addressed in the format of the data then usage
could very easily lead to undefined behavior and potential crashes. There is 
a real risk of bricking a lot of devices if you get this wrong. And it can 
come with a change of the compiler/linker or by setting one faulty define in 
your build system. I believe the minor convenience of a RAM loaded RPC 
format is quite easily overshadowed by how restrictive you need to be 
to ensure that it doesn't lead to failures without any warnings.

All compatibility and interoperability issues can be avoided by using a real
serialization format. For a list of alternatives, please look at the 
following link:
https://en.wikipedia.org/wiki/Comparison_of_data_serialization_formats

IETF SUIT has picked CBOR as the standard and I have no problem with that (TM).
Depending on the complexity of the manifest format, it is fairly easy to create
a parser generator that uses the CDDL schema as input.

If you want a fast binary encoder then you could look at https://capnproto.org/
It has all you need. Like many other binary formats, It has not gone through 
a full security review. But at least it addresses the interoperability and 
interchangeability aspects. It is eons better than a simple packed C struct. 
It even conforms to a schema, which is apt in case of having multiple versions
or differences in supported features.

The rest of the e-mail has been skipped as it has some invalid formatting 
with regards to who says what.

With regards
Frank Audun

v2.23.0 | Report a Bug | By Email